CVE-2022-30587
https://notcve.org/view.php?id=CVE-2022-30587
Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to information disclosure. Gradle Enterprise versiones hasta 2022.2.2 , presenta un Control de Acceso Incorrecto que conlleva a una divulgación de información • https://security.gradle.com https://security.gradle.com/advisory/2022-10 • CWE-522: Insufficiently Protected Credentials •
CVE-2022-30586
https://notcve.org/view.php?id=CVE-2022-30586
Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to code execution. Gradle Enterprise versiones hasta 2022.2.2, presenta un Control de Acceso Incorrecto que conlleva a una ejecución de código • https://security.gradle.com https://security.gradle.com/advisory/2022-09 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-27919
https://notcve.org/view.php?id=CVE-2022-27919
Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API. Gradle Enterprise versiones anteriores a 2022.1, permite una ejecución de código remota si el proceso de instalación no especificó un archivo de configuración inicial. La configuración permite determinados accesos anónimos a la administración y a una API • https://security.gradle.com/advisory/2022-05 • CWE-276: Incorrect Default Permissions •
CVE-2022-25364
https://notcve.org/view.php?id=CVE-2022-25364
In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.) En Gradle Enterprise versiones anteriores a 2021.4.2, la configuración por defecto de la caché de construcción incorporada permitía el acceso anónimo de escritura. • https://security.gradle.com https://security.gradle.com/advisory/2022-02 • CWE-276: Incorrect Default Permissions •
CVE-2022-27225
https://notcve.org/view.php?id=CVE-2022-27225
Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards compatibility with older Safari versions, Keycloak sets a duplicate of the cookie without the Secure attribute, which allows the cookie to be sent when accessing the location that cookie is set for via HTTP. This creates the potential for an attacker (with the ability to impersonate the Gradle Enterprise host) to capture the login session of a user by having them click an http:// link to the server, despite the real server requiring HTTPS. • https://security.gradle.com/advisory/2022-03 • CWE-311: Missing Encryption of Sensitive Data •